sinn3r
02b1c5c4bc
Final changes
2014-10-30 13:37:02 -05:00
sinn3r
127d1640da
Print password
2014-10-30 13:27:40 -05:00
Joe Vennix
6dc13f90cd
Update descriptions to mention Webview bugginess.
2014-10-30 10:55:56 -05:00
Joe Vennix
0ad9f95806
Remove stray alert() for debugging.
2014-10-30 10:52:06 -05:00
Joe Vennix
88040fbce0
Add another Android < 4.4 UXSS exploit.
2014-10-30 10:34:14 -05:00
Jon Hart
15e1c253fa
Numerous cleanups for snmp_enumusers
...
* Bring in line with Ruby standards
* More sane format for adding new OSs
* Better logging for use on larger networks
* Better error handling
2014-10-29 23:54:32 -07:00
Peter Arzamendi
9d56f0298a
Changed upper XXX to lower XXX.
2014-10-29 20:09:02 -05:00
Peter Arzamendi
b35a8935db
Updated get_once for get_once undefined method and EOFError
2014-10-29 13:47:07 -05:00
Peter Arzamendi
2bc8767751
Updated rescue to catch other errors from the socket API
2014-10-29 08:03:28 -05:00
Jon Hart
ba5035c7ef
Prevent calling match when there is no WWW-auth header
2014-10-28 17:13:57 -07:00
Jon Hart
a5d883563d
Abort if 2013 desired but redirect didn't happen
2014-10-28 15:59:22 -07:00
Jon Hart
7ca4ba26b0
Show more helpful vprint messages when login fails
2014-10-28 15:48:04 -07:00
Jon Hart
bce8f34a71
Set proper Cookie header from built cookie string
2014-10-28 15:41:36 -07:00
Jon Hart
a3e1e11987
Ensure necessary cookies are present in OWA 2010 login response
2014-10-28 15:40:15 -07:00
Peter Arzamendi
604cad9fbb
Updated timeout to default to 45 seconds to wait for the print job to finish.
2014-10-28 15:45:28 -05:00
Peter Arzamendi
b17d6a661d
Moved module to auxiliary/gather and updated timeout to wait for the printer job to complete before we try to grab the creds.
2014-10-28 15:23:47 -05:00
Peter Arzamendi
0e42cf25d1
Updated per wchen-r7's recommendations. Still waiting to hear on Nokogiri
2014-10-28 15:13:16 -05:00
Tod Beardsley
9c028c1435
Fixes #4083 , make the split nil-safe
...
In the reported case, the expected cookies were not present on the
response, thus, the second split was trying to split a `nil`. This
solves the immediately problem by a) splitting up the splits into
discrete sections, and b) `NilClass#to_s`'ing the result of the first
split.
This makes the split safe. Now, there may be a larger issue here where
you're not getting the expected cookies -- it sounds like the target in
this case is responding differently, which implies that the module isn't
going to be effective against that particular target. But, at least it
won't crash. It may merely try fruitlessly the entire run, though. I
can't know without looking at a pcap, and in the reported case, a pcap
seems unlikely since this was a bug found in the field.
2014-10-28 14:59:20 -05:00
Peter Arzamendi
1012cd8d6b
Updated based on wchen-r7 feedback.
2014-10-28 11:38:50 -05:00
Tod Beardsley
dade6b97ba
Land #4088 , wget exploit
...
Fixes #4077 as well.
2014-10-28 09:03:07 -05:00
sinn3r
e31c9f579d
Land #3987 - Buffalo Linkstation NAS Login Scanner
2014-10-28 01:45:57 -05:00
HD Moore
64c206fa62
Add module for CVE-2014-4877 (Wget)
2014-10-27 23:37:41 -05:00
Peter Arzamendi
0b225d94b1
Xerox Admin password extractor.
2014-10-27 19:26:40 -05:00
jvazquez-r7
b990b14a65
Land #3771 , @us3r777's deletion of jboss_bshdeployer STAGERNAME option
2014-10-27 18:09:35 -05:00
parzamendi-r7
f7f6cff327
Update xerox_workcentre_5XXX_ldap.rb
2014-10-27 17:23:47 -05:00
Peter Arzamendi
f119abbf8c
Xerox workcentre 5735 LDAP credential extractor
2014-10-27 15:52:12 -05:00
Jon Hart
b8c9ef96ca
Land #4003 , @nstarke's Login Scanner for WD MyBook Live NAS
2014-10-27 09:57:43 -07:00
scriptjunkie
4dfbce425a
use vprintf...
2014-10-26 09:20:32 -05:00
scriptjunkie
c31fb0633d
Merge branch 'wp-psexeccmd' of github.com:webstersprodigy/metasploit-framework into webstersprodigy-wp-psexeccmd
2014-10-26 09:05:25 -05:00
Jon Hart
83df08aaa7
Properly encode body and catch invalid configs
2014-10-22 22:43:06 -07:00
sinn3r
0ea03c00a5
Use print_brute instead of print_good for format consistency
2014-10-22 16:14:45 -05:00
Jon Hart
ce8a9941ea
Cleanup. Sanity check in setup. vprint
2014-10-22 10:36:24 -07:00
James Lee
46acf08e2d
Merge remote-tracking branch 'upstream/master' into bug/msp-11497/loginscanner-tcp-evasions
2014-10-22 09:09:34 -05:00
nstarke
ee3dd3a2ac
More Fixes for WD MyBook Live Scanner
...
Fixes include removing deregistered options
from credentials collection object and adding proof
when there is no response
2014-10-22 03:06:21 +00:00
James Lee
0fcd1ac4f6
Restore tcp evasions to smb_login
2014-10-21 18:59:11 -05:00
James Lee
e1a7e902d6
Re-enable tcp evasions for more LoginScanners
...
Untested since I don't have targets for these.
2014-10-21 18:58:28 -05:00
sinn3r
6d11ec8477
These mods support Proxies, so make the option visible for the user
2014-10-21 15:39:24 -05:00
sinn3r
db7c420d8d
Merge the latest changes
2014-10-21 13:49:42 -05:00
James Lee
f9f8c413a8
Derp, ssh modules don't include Tcp for #proxies
2014-10-21 13:28:13 -05:00
sinn3r
79d393c5aa
Resolve merge conflicts
...
Conflicts:
lib/msf/core/exploit/smb.rb
lib/msf/core/exploit/tcp.rb
modules/auxiliary/scanner/http/axis_login.rb
2014-10-21 13:06:35 -05:00
James Lee
4705aeb762
Restore tcp evasions to ftp, pop3, vnc
2014-10-21 11:06:55 -05:00
James Lee
7d150ce0dd
Add tcp evasions to mysql
2014-10-21 10:05:18 -05:00
James Lee
e76ee294a1
Restore tcp evasions to telnet
2014-10-21 09:44:55 -05:00
nstarke
82b74d5f3c
Fixes to MyBook Live Module
...
This commit contains three fixes as requested on PR
#4003 . Those include:
+ Removing extraneous puts statement
+ Checking for valid response
+ SSL support.
2014-10-21 00:50:40 +00:00
nstarke
70b13819d9
Adding Login Scanner for MyBook Live
...
This is a LoginScanner auxiliary module for Western
Digital MyBook Live NAS devices as well as the spec
for testing.
2014-10-21 00:50:40 +00:00
jvazquez-r7
d6f4c02c2a
Land #3979 , @wchen-r7 fixes #3976 , http_login not using TARGETURI, neither uri normalization
2014-10-20 18:10:57 -05:00
jvazquez-r7
74ac16081f
Land #3981 , @wchen-r7 Fixes #3974 , axis_login.rb does not normalize URI
2014-10-20 17:51:13 -05:00
jvazquez-r7
00f137cdcf
Land #4040 , @nullbind's MS SQL privilege escalation through SQLi
2014-10-20 16:23:50 -05:00
jvazquez-r7
acc590b59c
Modify metadata
2014-10-20 16:22:10 -05:00
jvazquez-r7
1381c7fb37
Modify title
2014-10-20 16:17:47 -05:00
jvazquez-r7
323680c31a
Clean code
2014-10-20 16:17:06 -05:00
HD Moore
935a23296d
Updates to NAT-PMP, lands #4041
2014-10-20 11:26:26 -05:00
sinn3r
6b9742b444
Land #3966 - Add exploit for CVE-2014-4872 BMC / Numara Track-It!
2014-10-20 11:23:23 -05:00
James Lee
3051b6c5ba
Clean up exceptions
...
Of particular note is mysql, who was rescuing Rex::ConnectionTimeout
*after* Rex::ConnectionError, which never would have fired anyway.
2014-10-20 10:27:02 -05:00
James Lee
b7d69bec83
Restore proxies to ssh scanners
2014-10-20 10:19:06 -05:00
nullbind
036d43ba37
fixed logic bug
2014-10-19 20:56:29 -05:00
Jon Hart
2985b39267
Land #3980 , @wchen-r7 fixed #3975
2014-10-19 17:11:06 -07:00
ikkini
c2174c7910
return if no version response received
2014-10-19 00:29:36 +02:00
nullbind
1e2f1eaee0
cleaning up
2014-10-18 12:00:11 -05:00
James Lee
329a600b84
Add tcp evasion options to mssql_login
2014-10-17 17:40:21 -05:00
William Vu
10f3969079
Land #4043 , s/http/http:/ splat
...
What is a splat?
2014-10-17 13:41:07 -05:00
William Vu
367ea5d3db
Add disclosure date
2014-10-17 12:35:28 -05:00
Tod Beardsley
ccdaf2b576
Fix the banner
...
Turns out these will be broken in outstanding PRs for a while. At least
they won't be merge conflicts.
2014-10-17 12:23:23 -05:00
URI Assassin
35d3bbf74d
Fix up comment splats with the correct URI
...
See the complaint on #4039 . This doesn't fix that particular
issue (it's somewhat unrelated), but does solve around
a file parsing problem reported by @void-in
2014-10-17 11:47:33 -05:00
Tod Beardsley
ad501b25e4
Filename move to be less redundant
2014-10-17 11:25:14 -05:00
nullbind
bf92769ba2
added mssql_escalate_dbowner_sqli
2014-10-17 10:25:20 -05:00
Jon Hart
8fdae8fbfb
Move protocol and lifetime to mixin, use correct map_target if CHOST
2014-10-16 13:24:17 -07:00
James Lee
40b360555f
Make the error message a little more useful
2014-10-16 12:47:13 -05:00
Tod Beardsley
8cf10be779
Don't assume SSLv3 is set (kill FP+s)
2014-10-16 10:43:58 -05:00
Tod Beardsley
0b67efd51e
Add a POODLE scanner and general SSL version scan
2014-10-16 10:27:37 -05:00
James Lee
41a57b7ba5
Re-enable proxies for HTTP-based login scanners
2014-10-15 17:00:44 -05:00
Jon Hart
07f2d4dafe
Further improvements to NAT-PMP. Faster, more useful, less not useful
2014-10-15 06:39:38 -07:00
Tod Beardsley
592f1e9893
Land #3999 , errors on login suppressed by default
...
This also solved the merge conflict on:
modules/auxiliary/scanner/http/jenkins_login.rb
Fixes #3995 .
2014-10-14 16:35:09 -05:00
Jon Hart
ea6824c46f
WIP of NAT-PMP rework
2014-10-14 14:20:24 -07:00
William Vu
bdbad5a81d
Fix misaligned bracket
2014-10-14 13:43:59 -05:00
Tod Beardsley
9f6008e275
A couple OSVDB updates for recent modules
2014-10-14 13:39:36 -05:00
Tod Beardsley
56534e7ad3
Changed a login failed to vprint instead of print
...
People often like to supress failed attempts. Note that this change may
or may not have any effect, given the status of #3995 .
This module was introduced in PR #3947 .
2014-10-14 12:01:09 -05:00
Tod Beardsley
6ea3a78b47
Clarify the description on HP perfd module
...
Introduced in #3992
2014-10-14 11:58:52 -05:00
Nikita
621b9523b1
Update tnspoison_checker.rb
2014-10-13 22:05:08 +04:00
Nikita
1996886ae9
Update tnspoison_checker.rb
2014-10-13 12:53:39 +04:00
Nikita
22aabc7805
Add new module to test TNS poison
...
This module simply checks the server for vulnerabilities like TNS Poison
2014-10-13 12:21:07 +04:00
Jon Hart
d51d2bf5a0
Land #3990 , @wchen-r7's fix for #3984 , a busted check in drupal_views_user_enum
2014-10-12 19:38:55 -07:00
Jon Hart
76275a259a
Minor style cleanup of help and a failure message
2014-10-12 18:34:13 -07:00
Jon Hart
c3a58cec9e
Make note of other commands to investigate
2014-10-11 13:07:52 -07:00
Jon Hart
c80a5b5796
List commands in sorted order
2014-10-11 13:00:30 -07:00
Jon Hart
4ffc8b153c
Support running more than one perfd command in a single pass
2014-10-11 11:38:00 -07:00
Jon Hart
c72593fae4
Store just banner for service, loot the rest. Also, minor style.
2014-10-11 11:12:49 -07:00
Jon Hart
9550c54cd2
Correct indentation and whitespace
2014-10-11 10:39:12 -07:00
sinn3r
9500038695
Fix #3995 - Make negative messages less verbose
...
As an user testing against a large network, I only want to see
good news, not bad news.
2014-10-11 11:11:09 -05:00
Roberto Soares Espreto
7bd0f2c114
Changed Name, array in OptEnum and operator
2014-10-11 09:03:18 -03:00
Roberto Soares Espreto
cbde2e8cd1
Variable cmd now with interpolation
2014-10-10 18:21:16 -03:00
Roberto Soares Espreto
291bfed47e
Using Rex.sleep instead of select
2014-10-10 15:17:40 -03:00
Roberto Soares Espreto
bd315d7655
Changed print_good and OptEnum
2014-10-10 13:54:42 -03:00
Roberto Soares Espreto
08fdb4fab2
Add module to enumerate environment HP via perfd daemon
2014-10-10 13:09:36 -03:00
sinn3r
260aa8dc22
Fix #3984 - Fix broken check for drupal_views_user_enum
2014-10-10 10:23:20 -05:00
nstarke
472985a8a8
Adding Buffalo Linkstation NAS Login Scanner
...
I have added a login scanner for the Buffalo Linkstation
NAS. I have been testing against version 1.68 of the
firmware. Also included are some specs for this module.
2014-10-10 03:16:48 +00:00
Tod Beardsley
aefd15c185
Land #3376 , ARRIS SNMP enumerator from @inokii
2014-10-09 15:28:06 -05:00
sinn3r
7d8eadada6
Fix #3974 - Validate and normalize URI for axis_login
2014-10-09 14:33:39 -05:00
sinn3r
c9c34beafa
Fix #3975 - Register TARGETURI, not URI
...
The module should register TARGETURI and call #target_uri for
URI validation.
2014-10-09 14:10:29 -05:00
Pedro Ribeiro
8163b7de96
Thanks for helping me clean up Todd!
2014-10-09 18:20:31 +01:00
sinn3r
d366cdcd6e
Fix #3976 - validate and normalize user-supplied URI for http_login.rb
...
URI should be validated and normalized before being used in an HTTP
request.
2014-10-09 12:14:33 -05:00
Pedro Ribeiro
9d1e206e43
Incorporate cred changes and other minor fixes
2014-10-09 17:59:38 +01:00
Spencer McIntyre
a535d236f6
Land #3947 , login scanner for jenkins by @nstarke
2014-10-09 12:59:02 -04:00
Spencer McIntyre
6ea530988e
Apply rubocop changes and remove multiline print
2014-10-09 12:57:39 -04:00
jvazquez-r7
3305b1e9c3
Land #3984 , @nullbind's MSSQL privilege escalation module
2014-10-09 11:39:15 -05:00
jvazquez-r7
10b160bedd
Do final cleanup
2014-10-09 11:38:45 -05:00
jvazquez-r7
bbe435f5c9
Don't rescue everything
2014-10-09 11:25:13 -05:00
jvazquez-r7
0cd7454a64
Use default value for doprint
2014-10-09 11:04:42 -05:00
jvazquez-r7
db6f6d4559
Reduce code complexity
2014-10-09 10:59:14 -05:00
jvazquez-r7
615b8e5f4a
Make easy method comments
2014-10-09 10:48:00 -05:00
jvazquez-r7
dd03e5fd7d
Make just one connection
2014-10-09 10:46:51 -05:00
sinn3r
df0d4f9fb2
Fix #3973 - Unneeded datastore option URI
...
When Glassfish is installed, the web root is always /, so there is
no point to make this arbitrary.
2014-10-09 00:06:15 -05:00
nullbind
168f1e559c
fixed status
2014-10-08 21:19:50 -05:00
nullbind
3ebcaa16a1
removed scanner
2014-10-08 21:18:56 -05:00
nstarke
328be3cf34
Fine Tuning Jenkins Login Module
...
At the request of the maintainers, I have deregistered the
RHOST option and made the failure proof a verbose only
print.
2014-10-08 17:53:21 -05:00
Pedro Ribeiro
4817e1e953
Update trackit_sql_domain_creds.rb
2014-10-08 21:41:04 +01:00
Tod Beardsley
a901916b0b
Remove nonfunctional jtr_unshadow
...
This module hasn't been doing anything but print_error a go away message
since June, so may as well get rid of it.
2014-10-08 10:23:29 -05:00
Brendan Coles
3c7be9c4c5
Remove hash rockets from references #3766
...
[SeeRM #8776 ]
2014-10-08 09:01:19 +00:00
Pedro Ribeiro
6af6b502c3
Remove spaces at EOL
2014-10-08 08:30:30 +01:00
Pedro Ribeiro
713ff5134a
Add OSVDB id
2014-10-08 08:24:44 +01:00
Pedro Ribeiro
bd812c593c
Add full disclosure URL
2014-10-08 08:24:04 +01:00
Pedro Ribeiro
bbac61397d
Restore :address to rhost and explain why
2014-10-08 08:23:43 +01:00
Pedro Ribeiro
9cb0ad1ac2
Change the reporting address to the real value
2014-10-08 01:18:17 +01:00
Pedro Ribeiro
6e9bebdaf9
Fix noob mistake in assignment
2014-10-08 01:04:15 +01:00
Pedro Ribeiro
7dbfa19e65
Add exploit for Track-It! domain/sql creds vuln
2014-10-07 23:54:43 +01:00
nullbind
031fb19153
requested updates
2014-10-06 23:52:30 -05:00
William Vu
399a61d52e
Land #3946 , ntp_readvar updates
2014-10-06 21:57:57 -05:00
nstarke
e1b0ba5d3d
Removing 'require pry'
...
I accidentally left a reference to pry in my code.
Removing
2014-10-06 21:40:39 -05:00
nstarke
b8c2643d56
Converting Module to LoginScanner w/ Specs
...
The previous commits for this Jenkins CI module relied on an
obsolete pattern. Consequently, it was necessary to write
this module as a LoginScanner and incorporate the appropriate
specs so that the tests will run properly.
2014-10-06 21:14:10 -05:00
sinn3r
d3354d01f0
Fix #3808 - NoMethodError undefined method `map'
...
NoMethodError undefined method `map' due to an incorrect use of
load_password_vars
2014-10-06 15:42:51 -05:00
Jon Hart
8c8ccc1d54
Update Authors
2014-10-06 11:30:39 -07:00
nstarke
69400cf280
Fixing Author Declaration
...
I had accidentally listed myself three times as the author.
Fixing that issue so that I am only declaring myself once.
2014-10-05 23:17:28 -05:00
nstarke
c0a3691817
Adding Jenkins-CI Login Scanner
...
Per Github issue #3871 (RM8774), I have added a
login scanner module for Jenkins-CI installations.
2014-10-05 22:08:34 -05:00
James Lee
a65ee6cf30
Land #3373 , recog
...
Conflicts:
Gemfile
Gemfile.lock
data/js/detect/os.js
lib/msf/core/exploit/remote/browser_exploit_server.rb
modules/exploits/android/browser/webview_addjavascriptinterface.rb
2014-10-03 18:05:58 -05:00
Jon Hart
a341756e83
Support spoofing source IPs for NTP readvar, include status messages
2014-10-03 14:05:57 -07:00
Jon Hart
fa4414155a
Only include the exact readvar payload, not any padding
2014-10-03 13:58:13 -07:00
Jon Hart
65c1a8230a
Address most Rubocop complaints
2014-10-03 13:47:29 -07:00
Jon Hart
0715c671c6
Update NTP readvar module to detect DRDoS, UDPScanner to be faster
2014-10-03 13:28:30 -07:00
Christian Mehlmauer
f45b89503d
change WPVULNDBID to WPVDB
2014-10-03 17:13:18 +02:00
Christian Mehlmauer
33b37727c7
Added wpvulndb links
2014-10-02 23:03:31 +02:00
William Vu
5df614d39b
Land #3928 , release fixes
2014-10-01 17:21:08 -05:00
HD Moore
77bb2df215
Adds support for both CVEs, lands #3931
2014-10-01 17:06:59 -05:00
William Vu
51bc5f52c1
Add CVE-2014-6278 support
...
Going with an OptEnum to simplify the code for now...
2014-10-01 16:40:55 -05:00
James Lee
7e05ff343e
Fix smbdirect
...
Also some whitespace and a typo in output message
2014-10-01 16:02:59 -05:00
Tod Beardsley
4fbab43f27
Release fixes, all titles and descs
2014-10-01 14:26:09 -05:00
sinn3r
be1df68563
Remove auxiliary/scanner/elasticsearch/indeces_enum.rb
...
Time is up, so good bye.
2014-09-30 17:24:21 -05:00
William Vu
5ea968f3ee
Update description to prefer the exploit module
2014-09-30 11:34:28 -05:00
William Vu
162e42080a
Update title to reflect scanner status
2014-09-30 11:04:17 -05:00
William Vu
12d7073086
Use idiomatic Ruby for the marker
2014-09-29 22:32:07 -05:00
William Vu
71d6b37088
Fix bad header error from pure Bash CGI script
2014-09-29 22:25:42 -05:00